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Abstract 

For a prime p and an integer a £ 2 we obtain nontrivial upper 
bounds on the number of solutions to the congruence x x = a (mod p) , 
1 < x < p — 1 . We use these estimates to estimate the number of 
solutions to the congruence x x = y y (mod p), 1 < x, y <p — 1, which 
is of cryptographic relevance. 



1 



1 Introduction 



For a prime p and an integer a e Z we denote by N(p; a) the number of 
solutions to the congruence 

x x = a (mod p), 1 < x < p — 1. (1) 

Obviously only the case of gcd(a,p) = 1 is of interest. 

We note that other than the result Crocker [3] showing that there are at 
least La/ (p — 1)/2J incongruent values of (mod p) when 1 < x < p — 1 
and our estimates, little appears to be known about the solutions to ([[]). 
The function x h- )■ x x (mod p) , is also used in some cryptographic protocols 
(see [HI Sections 11.70 and 11.71]), so certainly deserves further investigation, 
see also [8] for various conjectures concerning this function. 

Here we suggest several approaches to studying this congruence and derive 
some upper bounds for N(p; a) . 

Our first bound is nontrivial if a is of small multiplicative order, which 
in the particular case when a = 1, takes the form N(p;a) < 

p l/3+o(D as 

p — > oo . The second bound is nontrivial if a is of large multiplicative order, 
which in the particular case when a is a primitive root modulo p, takes the 
form N(p; a) < p 11 / 12 +°( 1 ) as p — oo. 

Furthermore, both bounds combined imply that as p — > oo , we have the 
uniform estimate 

N(p;a) < p i2/i3 +0 (i)_ (2) 

Finally, we estimate the number of solutions M(p) to the symmetric 
congruence 

x x = y y (mod p), l<x,y<p—l, (3) 

which has been considered by Holden & Moree [S] in their study of short 
cycles in the iterations of the discrete logarithm modulo p, see also [HI U\- 
However, no nontrivial estimate of M(p) has been known prior to this work. 
Clearly 

p-i 

M(p) = Y J N{p;a) 2 . (4) 

o=l 

Thus using the bound and the identity 

p-i 

J2N(p;a)=p-l, (5) 

o=l 
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we immediately derive 

M{p) < p 25 / 13 +°M. (6) 
However here we obtain a slightly stronger bound, namely 

M( P ) < p 48/25 + o(l)_ 

Surprisingly enough, besides elementary number theory arguments, the 
bounds derived here rely on some results and arguments from additive com- 
binatorics, in particular on results of Garaev [3]. 

For an integer m > 1 we use Z m to denote the residue ring modulo m 
and we use ~%.* m to denote the unit group of Z m . 

Note that without the condition 1 < x < p — 1 (needed in the crypto- 
graphic application) there are always many solutions. Let g be a primitive 
root modulo p. For any element a G Z* (and so for any integer a ^ 
(mod p) ) we use ind a for its discrete logarithm modulo p, that is, the unique 
residue class v (mod p — 1) with 

g v = a (mod p). 

Now, if for a primitive root g we have 

x = p ind a — (p — l)g (mod p(p — 1)), 

then 

x x = / *«i«-(P-i)fl = (/) inda ■ (g^ 9 )^ 1 = a (mod p). 

2 Elements of Small Order 

We need to recall some notions and results from additive combinatorics. 
For a prime p and a set A C Z* we define the sets 

^4. + A = {<2i + a 2 : ai,a 2 G^4}, ^4 • A = {a\a 2 : ai,a 2 G^4}. 

Our bound on iV(p, a) makes use of the following estimate of Garaev [U 
Theorem 1]. 

Lemma 1 For any set iC Z* ; 



#(A + A) ■ #(A ■ A) > min 4 p#A, 



p 
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Let orda denote the multiplicative order of a e Z*. 
Theorem 2 Uniformly over t \ p — 1, we have, as p — >■ oo , 

iV(p; a) < max{t, 

ord a\t 

Proof. Fix a primitive root g mod p. The union of non-zero residue classes 
a with ord a | t of all the solutions to jT]) is precisely the set of solutions to 

x te = 1 (modp), l<x<p— 1. (7) 

This congruence is equivalent to 

£x indx = (mod p — 1), 

or if we put 

T = 

t 

to 

x indx = (mod T), 
or after fixing d \ T and considering only the solutions to (|7j) with 

gcd(a;,T) = d, 

they can be written as x = dy and satisfy 

ind {dy) = (mod T d ), l<y<D, gcd (y, T d ) = 1. (8) 

where 

T d = — and D = — — . 

a a 

Let us denote by y d the set of integers y satisfying flS}, and by Wd the set 
of the residue classes mod p represented by the elements of y d - Obviously 
#3^ = # Wd , and we have 

n( P ; a ) = j2#y d = Yl * Wd - ( 9 ) 

ord a\t 
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First note that 

# (m + w d ) < # cv d + y d ) < 2D (io) 

from the second condition in (jSJ). 

Furthermore, the product set of Wd is contained in 

{w E Z* : ind (d 2 w) = (mod T d )}, 

and so 

# (W d ■ W d ) < V —± = dt. (11) 
J-d 

Hence, applying Lemma [Hand using the bounds ( TTOT) and ( ITTjl we see that 
min |p#W d , | < pt. 

Hence 

#W d <maxO,p 1/2 * 1 / 4 }. (12) 
Recalling the bound on the divisor function r(k) 

r{k) = ^ = k° {1 \ (13) 

d\k 

see Theorem 315], and using (jl2"]) in (jUJ), we conclude the proof. □ 

Corollary 3 Uniformly over t \ p — 1 and a// integers a with gcd(a,p) = 1 
o/ multiplicative order ord a = t , we have, as p — >• oo , 

N(p;a) < max{*,p 1/2 t 1/4 }p o(1) . 

Next we show that if t is very small then the bound of Theorem [2] can 
be improved. For example, this applies to the most interesting special case 
of the congruence , namely the case a = 1 . 

Theorem 4 Uniformly over t | p — 1 , we have, as p — >• oo, 

J] iV(p;a) < pV3+ (V/3_ 

aGZ* 
ord a|t 



Proof. We follow the proof of Theorem [2] up to fill I) , but finish the argument 
in a different way to derive a new bound for #3^. Let us define 

s ( b ) = #{(2/1,2/2) : 2/1,2/2 e 34 2/12/2 = b (mod p)}. 
First note that s(b) > only when b G Wd ■ W<2, and so 

(#^) 2 = J2 s ^ <#QVd- Wd) max s(b). (14) 
bez p 

If (7/1, 7/ 2 ) is counted in s(b) then on the one hand yiy 2 = b (mod p) , on 
the other hand 1 < 1/12/2 < -D 2 (where as before D = (p — l)/d), therefore 
2/12/2 = b + kp, where < k < Thus the product 7/17/2 can take at most 
p/d 2 + l possible values 7/17/2 = z and once z is fixed, there are r(z) = z ^ 1 ' = 
p ^ possibilities for the pair (7/1,7/2), see (|T3|) . Thus 

s(6) < (p/d 2 + l)p o(1) , 

which after inserting in (fl4"l) and recalling fTTTT) yields 

#y d < ((pt/rf) 1/2 + (trf) 1/2 )p o(1) . (15) 

For d < pVs^-i/a 

we use < (it from the first condition of (jHJ) and for 
d > p 2 / 3 /; -1 / 3 we use #3^ < -D from the second condition of (JHJ). Therefore 
we obtain 

#y d < P 1/3 t 2/3 and #y d < p 1 ^ 3 , 

respectively 

Finally, for pV^-i/s < d < p 2 / 3 /-V3 

we use (IT5|) to derive 

#y d < (p 1/3 t 2/3 + p 1/3 t 1/3 ) p o(1) = p i / 3 +°(i)t 2 /3 > 

Using these bounds with (ITS]) in (P) we conclude the proof. □ 

Corollary 5 Uniformly over t | p — 1 and a// integers a with gcd(a,p) = 1 
0/ multiplicative order ord a = t , we have, as p — >■ 00 , 

iV(p;a) < pVs+od)^ 
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3 Elements of Large Order 

Here we use a different argument, which is similar to the one used in pQ, 
and a bound of [2], on the number of solutions of an exponential congruence, 
plays the crucial role. However, this approach is effective only for values of 
a of sufficiently large order. 

We recall the following estimate, given in [21 Lemma 7], on the number 
of zeros of sparse polynomials over a finite field W q of q elements. 

Lemma 6 For n > 2 given elements a±, . . . , a n £ IF* and integers fcj, . . . , k n 
in 7L let us denote by Q the number of solutions of the equation 

n 

^a;X fcl = 0, XeW* q . 
1=1 

Then 

Q < 2 g 1 - 1 /(n-l) A l/(n-l) + O ^-^-1)^-1)^ 

where 

A = min maxgcd(fcj — ki, q — 1). 

l<i<n j^i 

We are now ready to prove the main result of this section. 

Theorem 7 Uniformly over t | p— 1 and all integers a with gcd(a,p) = 1 of 
multiplicative order ord a = t, we have, as p — > oo , 

N{p; a)<p 1+ °^r 1 / 12 . 

Proof. Let a be a non-zero residue class modulo p of multiplicative order 
t | p — 1 . As before, we put 

m P — 1 

T = 

t 

Clearly, there is a primitive root g modulo p with a = g T (mod p) . 
Using the discrete logarithm to base g , the congruence ([I]) is equivalent to 

x indx = T (mod p — 1). 

Note the condition gcd(x,p— 1) | T. After fixing d \ T and considering only 
the solutions to (JT)) with gcd(x,p — 1) = d, they can be written as x = dy 
and satisfy 

ymd(dy) = T d (mod D), l<y<D, gcd(y, D) = 1, 
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where, as before, 



T t > = — and D 



d d 
Note that t | D. The congruence yz = 1 (mod D) defines a one-to-one 
correspondence between the integers {1 < y < D : gcd(y,D) = 1} and 
zeZ* D . 

Furthermore, the relation yz = 1 (mod .D) defines a one-to-M^ corre- 
spondence between the set {1 < y < D : gcd(y,D) = 1} and z G 
where is the number of residue classes in in the form z + kD . 

These residue classes are automatically coprime to D , but we have to ensure 
that they are coprime to d as well (and thus belong to Thus using 

fi(k) to denote the Mobius function, by [51 Theorem 263] (which is essentially 
the inclusion-exclusion principle) we obtain 

d d 

M d = E m/) = $>(/) E 1 

k =i flgcd(z+kD , d) fl d z+kD jr\ mod f) 

- E M- f = d^> 

f\d J 
gcd(/,D)=l 

where tp(k) is the Euler function and m is the product of primes q with 
q | d and q \ D, see [HI Equation (16.3.1)]. In particular m < d < p and 
recalling the well-known estimate on the Euler function, see [HI Theorem 328] 
we obtain 

M d = dp°W. 

From now on the integer 1 < y < D and the residue class z G with 
or without subscripts are always connected by yz = 1 (mod D) , even if this 
is not explicitly stated. 

Let us define 

Z d = {z G Z*_! : ind (dy) = Dz/t (mod D), l<y< D}. 
(we recall our convention that we always have yz = 1 (mod D)). We have 

N <p> fl ) = E w* Zd - p ° (1) S 2# z * (16) 
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The congruence ind (dy) = Dz/t (mod D) is equivalent to 

dy = pg Dz/t (modp), 

for some p G Z* with p d = 1 (mod p). Thus we split Z d into subsets Z d>p 
getting 

#z d = Yl ( 17 ) 

p d =l (mod p) 

where 

Z,, p = {z G Z;_! : = p£ D ^ (mod p), 1 < y < D} 

(and again we recall our convention that yz = 1 (mod D)). 
Clearly, 

(#^, P ) 2 = z 2 G Z;_! : ^ ee p^V* (mod p), j = 1, 2}. 

We have by adding the two congruences that 

(#^,p) 2 

< #{ Zl , ^ 2 G Z;_! : d(2/! + y 2 ) ee p (<^/« + g Dz ^) (mod p)} 
= 2^ ^ e z p-i : d(y 1 + y 2 )=v, 

P (g Dzi/t + g Dz2/t ) = v (modp)}. 

The sum over v G Z is empty unless t> = dw , where 2 < u> < 2D and 
we get by the Cauchy-Schwarz inequality that 

(#Z d:P ) 4 < 2D#{z u z 2 , z 3 , z 4 G Z;_ : : + y 2 ) = d(y 3 + y 4 ) 

EE p (</ D ^ + EE p (^A + gD^/tj (mod 

Clearly, when zi, z 2 , z 3 , z 4 G Z*_ : are fixed, then the condition 
d(yi + 2/2) = d(y 3 + y 4 ) 

= p (g Dzi/t + g Dz2,t ) = p (g Dzs/t + g Dz4/t ) (mod p) 

defines p uniquely. Hence 

p d =l (mod p) 

<2D#{zi^ 2 ^3,^e2*_ 1 : 2/1 + 2/2 = 2/3 + 2/4, 

+ (/ D22/ * EE (? D23 /* + g^ Z4 ^ (mod p)}. 
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Relaxing the condition y 1 + y 2 = y$ + 2/4 to 2/1 + 2/2 = 2/3 + 2/4 (mod D) only 
increases the number of solution (but allows us to think about residue 
class modulo D defined by yjZj = 1 (mod D) , j = 1,2,3,4). Thus 

p d =l (mod p) 

<2f#fe,22,2 3 ,Z4 6 2*_i : 2/1 + 2/2 = 2/3 + 2/4 (mod D), 

Finally, after the substitution Zj — > wzj for w G (and thus yj 

w~ x yj), j = 1,2,3,4, where w~ l is defined modulo D, we obtain that any 
solution is computed with <p(p — 1) multiplicity, that is 

2D 

E (# Z d, P ) 4 < ^ #{+ *2, 23, Zi, w G Z*_ x : 

p d =l (mod p) ' 

2/1+2/2 = 2/3 + 2/4 (mod D), 

Writing X = g w (mod p) and fcj = Dzj/t = (p — l)zj/dt = T^Zj , after fixing 
zi,Z2,Za,Z4, the number of w G satisfying the congruence in (TT51) 

is bounded by the number of solutions to the congruence X fcl + X fc2 = 
X fcs + X ki (mod p) , and this is bounded in Lemma [61 applied with n — 4 , 
by O (p 2 / 3 A 1 / 3 ) , where 

A = min gcd (T d (zi - Zj),p- 1) = T d min gcd (z { - zj, dt) . 

l<i<j<4 J l<i<i<4 

For every fixed 1 < « < j < 4 and 5 | tit there are (p — l) 2 /5 choices 
for fa, Zj) with 

gcd(zj — Zj, dt) = 5. 

When Zi and Zj are fixed the congruence 2/1 + 2/2 = 2/3 + 2/4 (mod D) im- 
plies that there are dp 1+ °^ choices for the remaining two variables. (Recall 
that each y determines M d = dp°^ different choices of z.) Thus, putting 
everything together in (|l8p and recalling f[T3"j) . we obtain 

p d = l (modp) ' <5|<2t 

4+0(1) 

= dDp^+^Ty 3 5-2/3 = p 11/3+o(1) T] /3 = £— . 
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Putting this to (fT7j) . we get by the Holder inequality 

#^<rf 3/4 [ E (#^,p) 4 ) < 

\ p d =l (mod p) / 

Finally ( 1T6|) and ( TT3]) gives 



„l+o(l 
£l/12 " • 



iV(p,a)< ^ ___<__ 



and we conclude the proof. 



□ 



4 Symmetric Congruence 

We now improve the bound ([6]) on the number of solutions to the symmetric 
congruence (EJ). 

Theorem 8 We have, as p — ^ oo . 

M(p) </8/25 +0 (l)_ 

Proof. From (j3J) we obtain 

M(p) <E E * fa G ) 2 ' 

t|p-l aSZ* 
ord a=t 

We fix some parameter $ and for t < d we use Theorem [2] to estimate 



E ^(p; 



ord a=t 



E ^ 



\ord a=t 



/ 



< max^V^ 1 ),^ 1 )^ 2 } ^max^VW,^ 1 ^ 1 / 2 }. 
For t > d we use Theorem [7| together with ([5]) to estimate 

E iVfea) 2 ^^ 1 ^- 1 / 12 E N(p;a)<p 2+ °^- 1 / 12 . 

ord a=t ord a=f 
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Taking 

= p 24/25 

to balance the above estimates, we obtain the bound 

A^;a) 2 <p 48/25+o(1) 

ord a=t 

and using ffTB"]) . we conclude the proof. □ 

5 Concluding Remarks 

Clearly Theorem [2] is nontrivial provided that t < p 1 ^ 6 for some e > 0, 
while Theorem [7J is nontrivial provided t > p £ , for an arbitrary e > and 
a sufficiently large p. In particular, using Corollary [3] for t < p 12 / 13 and 
Theorem [7] for t > p 12 / 13 ; we derive ([2]). 

It is also easy to see that all but o{p) elements a G Z* are of multi- 
plicative order t = . Thus for almost all a 6 Z* we have N(p; a) < 
pii/ia+o(i) by Theorem [7J 

Similar results can also be established for several other congruences. For 
example, the same arguments as those used in the proof of Theorem H] imply 
that the congruence 

x x-i ^ ^ (mod p), 1 < x < p — 1, 

has O (p 1 / 3+ °( 1 )) solutions. This means that the function i^i 1 (mod p) 
has 0(p 1 / 3+o( ^ 1 ^) fixed points in the interval 1 < x < p— 1. 
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